Is your hotel room lock safe? Why the answer could well be no

If, during your next hotel stay, you're met with a lock on your door like that pictured above, it's time for a conversation with management. This is an Onity HT series lock. Cody Brocious claims that the company has sold 10 million of its various locks to hoteliers, accounting for half of all locks worldwide, and appearing in one in three hotels. Described by Onity as its "flagship product," the HT series lock is its big seller: Brocious reckons there are 4 million HT series locks out there. Why does this matter? It matters because on July 24, Brocious took to the stage at the Black Hat conference in Las Vegas to demonstrate how to unlock one in a matter of milliseconds using gear you and I can buy off the shelf from Radioshack for under 50 bucks.

What's the password?

The problem is this. Each HT series lock includes a DC charger port on its underside. This is used by hotel staff not only to recharge the lock's batteries, but also to program the lock with the hotel's unique 32-bit sitecode. With a self-programmed Arduino board, a 5.6 k pull-up resistor, and a DC connector, you have the gear you need to talk to the lock. Obviously it's not as simple as sending an "Open Sesame" message to the lock—not quite, anyway. For that you'd need to know the 32-bit sitecode. How do you get the sitecode? Turns out you just ask the lock for it.

"Given an address, the lock will send back 16 bytes of memory from that point," Brocious explained on a slide from his July 24 presentation, entitled My Arduino Can Beat Up Your Hotel Room Lock. And it transpires the the sitecode is stored at the same memory address on every single lock. No authentication is required to retrieve it. Bewilderingly, unlocking the door is as simple as feeding the sitecode back to the lock. Once your home-brew device is connected, Brocious claims the whole process of reading the memory to unlocking the door takes just 200 ms. Given access to spare key cards, the technique can also be used to program duplicate keys.

Practical magic

In practice, the process may not be quite as easy as it sounds. Forbes' Andy Greenberg accompanied Brocious to some New York hotels and found that, of the three locks tested, Brocious was only able to open one (on the second attempt, having jiggered with his software). But one in three is still an unacceptably high success rate, though the few hotels tested are insufficient to draw broader conclusions. The exercise does at least demonstrate that the technique isn't 100 percent reliable—at least not as the research stood at the time.

Though Brocious has stated he does not intend to refine the technique, he has released the paper presented at Black Hat, and made his source code available through his website. At the time of writing, the dedicated IRC channel setup for further research had 25 members (all idling), discounting obvious pseudonyms. Brocious told Forbes that, with refinement, he believes the technique could be used to open a significantly higher proportion of locks.

With great power...

To many, Brocious's work is loaded with ethical questions, but what is beyond dispute is that Brocious has merely exploited and publicized a security flaw that is inherent to the HT series lock. He did not create the security flaw. And Brocious has clearly wrestled with the dilemma of whether and how to release his findings.

"The decision to make this information public has not been an easy one," Brocious writes in his paper. "While it's unlikely we'll ever know for sure, we must suspect that concerns were raised inside of Onity about these issues, given the ten-plus years that these locks have been in development and on the market. However, after much consideration it was decided that the potential short-term effects of this disclosure are outweighed by the long-term damage that could be done to hotels and the general public if the information was held by a select few."

In his presentation, Brocious suggested possible fixes to the vulnerability, but asserted that a physical replacement of all lock circuitboards would be necessary, as well as replacement of the front desk equipment. "The biggest impediment to mitigation is that the locks are not upgradeable," he said.

A case of impOnity?

On July 25, Onity put out a statement that attempted to downplay the issue, apparently contradicting Brocious's assertion that a hardware intervention is necessary. "Onity understands the hacking methods to be unreliable, and complex to implement," it said. "However to alleviate any concerns, we are developing a firmware upgrade for the affected lock-type."

On August 13, Onity issued a new statement (both can be read through that link) offering to send out physical caps to hotels with HT series locks. "To further enhance the security of this fix, we will also supply a security TORX screw with each mechanical cap to further secure the battery cover in the lock," the new statement said. Effective, so long as the would-be intruder forgot to add a Torx screwdriver to their shopping list. These caps will be ready for shipping by the end of the month, Onity claims.

In addition to the physical fix, Onity is also offering to replace the control boards of locks as well as shipping a firmware update. Onity says there will be a "nominal fee" for the control boards, but that's before shipping, handling and labor: three costs which the company says hotels must pay. And the fix only works for upgradable locks. Older locks must be replaced outright, again at the hotel's expense. In essence, though, Brocious was right. Hardware upgrades are required to fix the problem.

Contrition? Not so much

Remarkably, neither of Onity's statements show a hint of compunction. Arguably more worrying for a security firm: there's no recommendation that clients take up the offer of fixes. "If you are interested in pursuing this solution…" is about as close as it gets.

It's worth reiterating the potential scale of the problem. Assuming the figure of 4 million affected locks is accurate, that's 4 million potentially vulnerable hotel rooms. Even if we assume only half of those rooms are typically occupied, and those that are by a maximum of one resident at a time (staying on average 1.6 nights), that equates to 37.5 million travelers affected in the last 30 days alone.

The role of technology in the security sector is fundamental, but despite the rapid technological progress, one thing has remained constant: the importance of trust. Whether hoteliers wising up to the fact that they've bought what could be called a flawed security system will be willing to trust the supplier of said equipment for a fix… well, that remains to be seen.